Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the ExtUtils-ParseXS CPAN distribution.

Report information
The Basics
Id: 123877
Status: new
Priority: 0/
Queue: ExtUtils-ParseXS

People
Owner: Nobody in particular
Requestors: ether [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Fwd: "Vulnerability" in Perl in the news
Date: Wed, 13 Dec 2017 11:16:55 -0800
To: bug-ExtUtils-ParseXS [...] rt.cpan.org
From: Karen Etheridge <perl [...] froods.org>
Show quoted text
---------- Forwarded message ---------- From: Dave Rolsky <autarch@urth.org> Date: Sun, Dec 10, 2017 at 11:31 AM Subject: "Vulnerability" in Perl in the news To: perl5-porters@perl.org I use the word "vulnerability" in quotes, because press releases to the contrary, I'm not convinced there's anything exploitable here. However, this is getting reported as a "severe vulnerability" by websites for reasons I don't understand. No one will be surprised that this was some conference-driven research with the hype that unfortunately accompanies it. Anyway, here's a link to the paper - https://www.blackhat.com/ docs/eu-17/materials/eu-17-Arnaboldi-Exposing-Hidden- Exploitable-Behaviors-In-Programming-Languages-Using- Differential-Fuzzing-wp.pdf The one thing listed for Perl is that the ExtUtils::Typemaps::Cmd module's embeddable_typemap sub will eval anything you pass it in an attempt to load a module based on the strings it gets. This would only be a vulnerability if you wrote code that accepted arbitrary user input and passed it to that sub. But it's hard to imagine a case where that would happen. So I'd consider this a theoretical vulnerability at best. That said, patching this module to do some basic validation of the passed strings isn't a terrible idea. Cheers, Dave Rolsky http://blog.urth.org https://github.com/autarch